Documentation

Install Fendix, run your first scan, and understand the output in under five minutes.

Full coverage map: auth, CORS, headers, cookies, secrets, injection, XSS, SSRF, IDOR, open-redirect, host-header, GraphQL, method-tampering, dependencies, and spec analysis.

Every security check listed with detection logic, severity, and whether it requires active probing.

ADR records behind the Go + Python hybrid design, IPC contract, and severity scoring model.

Three-track engine evaluation: F1 = 1.000 on the synthetic labeled corpus, +5 CRITICALs on Juice Shop vs v0.6.1, 147 findings in 17 s on PyGoat.

Cold-start benchmark: 6.1 ms p50 default (no Python), 40.7 ms with --python-engine. 82× under the Phase 17b exit gate. Binary-size delta + reproduction harness.